mirror of
https://github.com/google/nomulus
synced 2026-01-08 07:11:44 +00:00
648fb0e46d
The pipeline is broken into two. The first one is to be triggered when the public repo is tagged. It then tags the private repo, builds and upload the builder and base images, and push a new commit to the release (merged repo). This pipeline also does text manipulation on several files in the release repo to ensure that the images uploaded in this pipeline is always used to reproducibly build the release repo at the same commit. The second pipeline is then triggered by commit into the release repo, which builds, signs and uploads the proxy image. Also updated the dependency lock files to use the latest plugins dependencies, which are uploaded to the GCS repo. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=244666211
90 lines
4.1 KiB
YAML
90 lines
4.1 KiB
YAML
# To run the build locally, install cloud-build-local first.
|
|
# You will need access to a private registry, so be sure to install the docker
|
|
# credential helper.
|
|
# See: https://cloud.google.com/cloud-build/docs/build-debug-locally
|
|
# Then run:
|
|
# cloud-build-local --config=cloudbuild-proxy.yaml --dryrun=false --substitutions TAG_NAME=[TAG] ..
|
|
# This will create a docker image named gcr.io/[PROJECT_ID]/proxy:[TAG] locally.
|
|
# The PROJECT_ID is the current project name that gcloud uses.
|
|
#
|
|
# To manually trigger a build on GCB, run:
|
|
# gcloud builds submit --config cloudbuild-proxy.yaml --substitutions TAG_NAME=[TAG] ..
|
|
#
|
|
# To trigger a build automatically, follow the instructions below and add a trigger:
|
|
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
|
|
steps:
|
|
# Set permissions correctly. Not sure why it is necessary, but it is.
|
|
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
|
|
args: ['chown', '-R', 'root:root', '.']
|
|
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
|
|
args: ['chmod', '-R', '777', '.']
|
|
# Build the deploy jar.
|
|
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
|
|
args:
|
|
- './gradlew'
|
|
- ':proxy:test'
|
|
- ':proxy:deployJar'
|
|
- '-x'
|
|
- 'autoLintGradle'
|
|
- '-PmavenUrl=gcs://domain-registry-maven-repository/maven'
|
|
- '-PpluginsUrl=gcs://domain-registry-maven-repository/plugins'
|
|
dir: 'gradle'
|
|
# Build the docker image.
|
|
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
|
|
args: ['docker', 'build', '--tag', 'gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}', '.']
|
|
dir: 'gradle/proxy'
|
|
# Move config files to the working directory. This is necessary because of Spinnaker limitations.
|
|
# It will concantinate `location' and `path' in the artifact field to construct the artifact
|
|
# path, even though the artifact is always uploaded to the `location', and `path' can be a regular
|
|
# expression.
|
|
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
|
|
entrypoint: /bin/bash
|
|
args: ['-c', 'mv java/google/registry/proxy/kubernetes/* .']
|
|
# Replace the tag "latest" with the git tag that triggered this build. This is due to a bug in
|
|
# Spinnaker where the tag is appended to the image name when the deployment pipeline is triggered
|
|
# by GCB pubsub messages. The bug is fixed in https://github.com/spinnaker/echo/pull/498 and we can
|
|
# remove this step and the "latest" tag in the manifests when Spinnaker 1.13 is deployed.
|
|
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
|
|
entrypoint: /bin/bash
|
|
args: ['-c', 'sed -i s/:latest/:${TAG_NAME}/ proxy-*.yaml']
|
|
# Push the image. We can't let Cloud Build's default processing do that for us
|
|
# because we need to push the image before we can sign it in the following
|
|
# step.
|
|
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
|
|
args: ['docker', 'push', 'gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}']
|
|
# Get the image hash and sign it.
|
|
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- >
|
|
hash=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/proxy \
|
|
--format="get(digest)" --filter="tags = ${TAG_NAME}") && \
|
|
gcloud --project=${PROJECT_ID} alpha container binauthz attestations \
|
|
sign-and-create --artifact-url=gcr.io/${PROJECT_ID}/proxy@$hash \
|
|
--attestor=build-attestor --attestor-project=${PROJECT_ID} \
|
|
--keyversion-project=${PROJECT_ID} --keyversion-location=global \
|
|
--keyversion-keyring=attestor-keys --keyversion-key=signing \
|
|
--keyversion=1
|
|
# Images to upload to GCR. Even though the image has already been uploaded, we still include it
|
|
# here so that the GCB pubsub message contains it (for Spinnaker to consume).
|
|
images: ['gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}']
|
|
# Config files to upload to GCS.
|
|
artifacts:
|
|
objects:
|
|
location: 'gs://${PROJECT_ID}-deploy/${TAG_NAME}'
|
|
# This cannot be regexs because of how Spinnaker constructs artifact paths.
|
|
paths:
|
|
- 'proxy-deployment-alpha.yaml'
|
|
- 'proxy-deployment-crash.yaml'
|
|
- 'proxy-deployment-sandbox.yaml'
|
|
- 'proxy-deployment-production.yaml'
|
|
- 'proxy-deployment-crash-canary.yaml'
|
|
- 'proxy-deployment-sandbox-canary.yaml'
|
|
- 'proxy-deployment-production-canary.yaml'
|
|
- 'proxy-service.yaml'
|
|
- 'proxy-service-canary.yaml'
|
|
timeout: 3600s
|
|
options:
|
|
machineType: 'N1_HIGHCPU_8'
|